Beware PayPal's‘"Virtual" Loophole

[InfoSec News <isn () c4i org>]

http://www.eprairie.com/news/viewnews.asp?newsletterID=4097

By ADAM FENDELMAN
Editor-in-Chief
9/3/2002

CHICAGO (Exclusive) - PayPal is an online company that conducts gobs
of online transactions every day. Problem is, it's those "virtual"  
deals that seem most susceptible to fraud, ePrairie has discovered.

To understand the potential loophole, it'd help to first understand
PayPal's practices to prevent fraud. The company, which says it has
been remarkably effective at foiling fraud compared to other Internet
sites, has what it calls a "seller protection policy".

This essentially means that the Mountain View, Calif.-based company
will fight on behalf of sellers when buyers commit various forms of
fraud in an attempt to retrieve the seller's deserved receivables. But
the policy has at least one big exception: it doesn't cover "virtual"  
goods.

For an online company that makes most of its revenue through online
auctions, PayPal says only a small majority of its customers conduct
these kinds of transactions. Just one example is an individual who
paid for banner ad space, signed a contract and then told his credit
card company that he didn't authorize such payment.

While that case is still being fought, the gist is that the product or
service provided isn't tangible and can't be touched or tracked by
online systems, and PayPal therefore doesn't want part in it.

A PayPal spokeswoman said she's well aware that "online fraud is
rampant" and "preventing it has been tough." She added that the
company has a fraud team of 150 people devoted to identifying,
tracking and preventing fraud, but when it comes to online goods,
that's "as tough as it gets."

Without becoming an escrow service (holding funds until both parties
agree), she says that PayPal doesn't have a way of verifying the
consent of both parties. She also dismisses the issue as one that's
not very big and says the company hasn't had enough complaints to
warrant spending the required time and resources to prevent virtual
fraud.

If the transaction's not virtual, PayPal does seem to have in place
lots of seller safety measures.

For example, sellers are not held liable as long as they have a
"verified" business or "premier" account, they ship to the buyer's
"confirmed" address, they ship the product within seven days of
receiving payment, and they can provide "reasonable proof of shipment
that can be tracked online." Also, the product must be “tangible,” the
seller must have accepted a single payment from one PayPal account,
and the seller must have shipped to a domestic buyer at a U.S.  
address.

PayPal has developed its own "buyer complaint" process so buyers who
feel a fake credit card has been used for payment needn't file a
"chargeback," which is a motion to a credit card company that
initiates an investigation that spans 75 business days.

During that period, PayPal recognizes that its allegedly innocent
sellers often feel frustrated that they can only sit back and wait. At
least if you're a seller who has provided a virtual service, now you
know the wait's unnecessary.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.